B324: Test use of insecure md4, md5, or sha1 hash functions in hashlib¶
This plugin checks for the usage of the insecure MD4, MD5, or SHA1 hash
hashlib.new function provides
the ability to construct a new hashing object using the named algorithm. This
can be used to create insecure hash functions like MD4 and MD5 if they are
passed as algorithm names to this function.
For Python versions prior to 3.9, this check is similar to B303 blacklist
except that this checks for insecure hash functions created using
hashlib.new function. For Python version 3.9 and later, this check
does additional checking for usage of keyword usedforsecurity on all
function variations of hashlib.
>> Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False Severity: High Confidence: High CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) Location: examples/hashlib_new_insecure_functions.py:3:0 More Info: https://bandit.readthedocs.io/en/latest/plugins/b324_hashlib.html 2 3 hashlib.new('md5') 4
New in version 1.5.0.
Changed in version 1.7.3: CWE information added